<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Java Client and security | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="ccs-clients-integrations.html" title="Cross cluster search, clients, and integrations">
<link rel="prev" href="cross-cluster-configuring.html" title="Cross cluster search and security">
<link rel="next" href="http-clients.html" title="HTTP/REST clients and security">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="ccs-clients-integrations.html">Cross cluster search, clients, and integrations</a></span>
»
<span class="breadcrumb-node">Java Client and security</span>
</div>
<div class="navheader">
<span class="prev">
<a href="cross-cluster-configuring.html">« Cross cluster search and security</a>
</span>
<span class="next">
<a href="http-clients.html">HTTP/REST clients and security »</a>
</span>
</div>
<div class="section">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="java-clients"></a>Java Client and security<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h2>
</div></div></div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<h3>Deprecated in 7.0.0.</h3>
<p>The <code class="literal">TransportClient</code> is deprecated in favour of the <a href="/guide/en/elasticsearch/client/java-rest/7.7/java-rest-high.html" class="ulink" target="_top">Java High Level REST Client</a> and will be removed in Elasticsearch 8.0. The <a href="/guide/en/elasticsearch/client/java-rest/7.7/java-rest-high-level-migration.html" class="ulink" target="_top">migration guide</a> describes all the steps needed to migrate.</p>
</div>
</div>
<p>The Elasticsearch security features support the Java <a href="http://www.elastic.co/guide/en/elasticsearch/client/java-api/current/transport-client.html" class="ulink" target="_top">transport client</a> for Elasticsearch.
The transport client uses the same transport protocol that the cluster nodes use
for inter-node communication. It is very efficient as it does not have to marshall
and unmarshall JSON requests like a typical REST client.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Using the Java Node Client with secured clusters is not recommended or
      supported.</p>
</div>
</div>
<h4>
<a id="transport-client"></a>Configuring the Transport Client to work with a Secured Cluster<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h4>
<p>To use the transport client with a secured cluster, you need to:</p>
<div id="java-transport-client-role" class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<a href="/guide/en/elasticsearch/reference/7.7/setup-xpack-client.html" class="ulink" target="_top">Configure the X-Pack transport client</a>.
</li>
<li class="listitem">
Configure a user with the privileges required to start the transport client.
A default <code class="literal">transport_client</code> role is built-in to the Elasticsearch security features,
which grants the
appropriate cluster permissions for the transport client to work with the secured
cluster. The transport client uses the <em>Nodes Info API</em> to fetch information about
the nodes in the cluster.
</li>
<li class="listitem">
<p>Set up the transport client. At a minimum, you must configure <code class="literal">xpack.security.user</code> to
include the name and password of your transport client user in your requests. The
following snippet configures the user credentials globally—​every request
submitted with this client includes the <code class="literal">transport_client_user</code> credentials in
its headers.</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        ...
        .build())
    .addTransportAddress(new TransportAddress("localhost", 9300))
    .addTransportAddress(new TransportAddress("localhost", 9301));</pre>
</div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you configure a transport client without SSL, passwords are sent in
          clear text.</p>
</div>
</div>
<p>You can also add an <code class="literal">Authorization</code> header to each request. If you’ve configured
global authorization credentials, the <code class="literal">Authorization</code> header overrides the global
authentication credentials. This is useful when an application has multiple users
who access Elasticsearch using the same client. You can set the global token to
a user that only has the <code class="literal">transport_client</code> role, and add the <code class="literal">transport_client</code>
role to the individual users.</p>
<p>For example, the following snippet adds the <code class="literal">Authorization</code> header to a search
request:</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.common.settings.SecureString;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;

import static UsernamePasswordToken.basicAuthHeaderValue;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        ...
        .build())
    .build()
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9300))
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9301))

String token = basicAuthHeaderValue("test_user", new SecureString("x-pack-test-password".toCharArray()));

client.filterWithHeader(Collections.singletonMap("Authorization", token))
    .prepareSearch().get();</pre>
</div>
</li>
<li class="listitem">
<p>Enable SSL to authenticate clients and encrypt communications. To enable SSL,
you need to:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Configure the paths to the client’s key and certificate in addition to the certificate authorities.
Client authentication requires every client to have a certification signed by a trusted CA.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Client authentication is enabled by default. For information about
      disabling client authentication, see <a class="xref" href="java-clients.html#disabling-client-auth" title="Disabling client authentication">Disabling Client Authentication</a>.</p>
</div>
</div>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.enabled", true)
        .put("xpack.security.transport.ssl.key", "/path/to/client.key")
        .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        ...
        .build());</pre>
</div>
</li>
<li class="listitem">
<p>Enable the SSL transport by setting <code class="literal">xpack.security.transport.ssl.enabled</code> to <code class="literal">true</code> in the
client configuration.</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "transport_client_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.enabled", true)
        .put("xpack.security.transport.ssl.key", "/path/to/client.key")
        .put("xpack.security.transport.ssl.certificate", "/path/to/client.crt")
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        .put("xpack.security.transport.ssl.enabled", "true")
        ...
        .build())
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9300))
    .addTransportAddress(new TransportAddress(InetAddress.getByName("localhost"), 9301))</pre>
</div>
</li>
</ol>
</div>
</li>
</ol>
</div>
<h5>
<a id="disabling-client-auth"></a>Disabling client authentication<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h5>
<p>If you want to disable client authentication, you can use a client-specific
transport protocol. For more information see <a class="xref" href="separating-node-client-traffic.html" title="Separating node-to-node and client traffic">Separating Node to Node and Client Traffic</a>.</p>
<p>If you are not using client authentication and sign the Elasticsearch node
certificates with your own CA, you need to provide the path to the CA
certificate in your client configuration.</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">import org.elasticsearch.xpack.client.PreBuiltXPackTransportClient;
...

TransportClient client = new PreBuiltXPackTransportClient(Settings.builder()
        .put("cluster.name", "myClusterName")
        .put("xpack.security.user", "test_user:x-pack-test-password")
        .put("xpack.security.transport.ssl.certificate_authorities", "/path/to/ca.crt")
        .put("xpack.security.transport.ssl.enabled", "true")
        ...
        .build())
    .addTransportAddress(new TransportAddress("localhost", 9300))
    .addTransportAddress(new TransportAddress("localhost", 9301));</pre>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you are using a public CA that is already trusted by the Java runtime,
      you do not need to set the <code class="literal">xpack.security.transport.ssl.certificate_authorities</code>.</p>
</div>
</div>
<h5>
<a id="connecting-anonymously"></a>Connecting anonymously<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h5>
<p>To enable the transport client to connect anonymously, you must assign the
anonymous user the privileges defined in the <a class="xref" href="java-clients.html#java-transport-client-role">transport_client</a>
role. Anonymous access must also be enabled, of course. For more information,
see <a class="xref" href="anonymous-access.html" title="Enabling anonymous access">Enabling Anonymous Access</a>.</p>
<h4>
<a id="security-client"></a>Security client<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/ccs-clients-integrations/java.asciidoc">edit</a>
</h4>
<p>The Elastic Stack security features expose an API through the <code class="literal">SecurityClient</code> class.
To get a hold of a <code class="literal">SecurityClient</code> you first need to create the <code class="literal">XPackClient</code>,
which is a wrapper around the existing Elasticsearch clients (any client class implementing
<code class="literal">org.elasticsearch.client.Client</code>).</p>
<p>The following example shows how you can clear the realm caches using
the <code class="literal">SecurityClient</code>:</p>
<div class="pre_wrapper lang-java">
<pre class="programlisting prettyprint lang-java">Client client = ... // create the transport client

XPackClient xpackClient = new XPackClient(client);
SecurityClient securityClient = xpackClient.security();
ClearRealmCacheResponse response = securityClient.authc().prepareClearRealmCache()
    .realms("ldap1", "ad1") <a id="CO494-2"></a><i class="conum" data-value="1"></i>
    .usernames("rdeniro")
    .get();</pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO494-1"><i class="conum" data-value="1"></i></a><a href="#CO494-2"></a></p>
</td>
<td align="left" valign="top">
<p>Clears the <code class="literal">ldap1</code> and <code class="literal">ad1</code> realm caches for the <code class="literal">rdeniro</code> user.</p>
</td>
</tr>
</table>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="cross-cluster-configuring.html">« Cross cluster search and security</a>
</span>
<span class="next">
<a href="http-clients.html">HTTP/REST clients and security »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
